Tag Archives: ransomware

Essential Steps for Cyber Insurance

Almost daily, news reports cover ransomware attacks involving Garmin; the world’s largest cruise line operator; the Las Vegas school district; Brown-Forman, the manufacturer of global distilled spirits brands like Jack Daniels and Finlandia; and the University of Utah, among other victims.

The attacks illustrate ransomware’s far-reaching and costly impact in terms of exposed data, disrupted operations and ransoms paid: Intruders claiming responsibility for the Brown-Forman attack, for example, said they had copied a terabyte of confidential internal network data and threatened to share it online, as part of the extortion. The cruise line operator, Carnival, experienced the compromise of guest and employee personal data. The Las Vegas school district notified employees that their Social Security numbers may have been stolen. The University of Utah reportedly arranged to pay more than $455,000 to satisfy a ransom demand, while Garmin reportedly paid $10 million after certain web sites, customer support and user application functions were blocked.

Clearly, companies are living in an age of high cyber risk. In addition to ransomware – which is targeting three of five organizations – wildly lucrative business e-mail compromises (BECs) are also behind mounting financial losses. Through BECs, adversaries create fake but authentic-looking e-mails (often disguised to look like they were sent by a high-level executive) to trick employees into wiring money into bank accounts controlled by the bad guys. Like ransomware, BECs are generating lucrative returns for fraudsters, costing U.S. businesses more than $300 million a month – up from $110 million a month in 2016, according to the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN).

To minimize the fallout from these and additional risks, organizations are increasingly investing in cyber insurance, a global market projected to reach $28.6 billion by 2026, up from an estimated $4.85 billion two years ago, according to a forecast from Allied Market Research. Cyber insurance often covers a company’s liability for data breaches leading to the compromise or loss of customers’ Social Security numbers, credit card accounts, health records and other personally identifiable information (PII). These insurance policies can also help a targeted organization cover the costs of customer breach notifications, fraud monitoring and the restoration of personal identities.

To be sure, cyber insurance is a significant investment. Acquired and managed correctly, this insurance coverage becomes part of an integrated cyber risk posture complementing security controls and policies. However, the insurance can bring a false sense of security and lead to coverage gaps and expensive disputes with carriers, if corporate IT, legal, risk and business leaders do not collaborate closely on the following essential action steps to take before updating or acquiring new coverage:

Inventory your assets – and understand their value

The IT ecosystem is much more dynamic today. The traditional perimeter no longer applies in the global, mobile age of digital transformation. There are more remote employees, third-party partners and non-traditional connected devices. Companies operate anywhere and everywhere, which leads to negotiating and purchasing coverage based on incomplete views of true assets and risks — increasing the probability of costly disputes. A single shift like moving e-mail, storage and other applications to the cloud, for example, could get entirely overlooked – and uncovered. That’s why IT and a cross-functional team of leaders must develop a comprehensive, current view of these assets and their role in supporting business continuity, customer services and the accomplishment of strategic/bottom-line goals.

An objective, “data-first” approach proves critical in visualizing and managing coverage requirements. Cyber insurance evaluation team members need to pinpoint where the data resides, and where it travels to, i.e., which non-traditional networked devices, new partners or regional offices it touches. Even if entirely new parties are not handling the data, team members must determine if they’re storing information in new internal locations and form factors, which may make the data more susceptible to theft or exposure.

See also: The Missing Tool for Cyber Resilience

Understand what is covered, and what is not

The cybersecurity profession uses terminology like “compromise,” “intrusion” or “incident.” The insurance domain assigns very specific meaning to works like “theft,” versus “loss” and “damages.” These terms are not interchangeable, and the stakes for coverage disputes and litigation are high because so much turns on whether a cybercriminal “broke in” to steal or ransom something, for example — versus tricking a victim to e-mail the attacker sensitive files figuring in a compromise.

Therefore, it’s critical to know coverage and limits before an incident, with the leadership team mapping out plausible attack scenarios and consequences, along with a range of possible outcomes in the form of stolen data, business disruptions, brand reputation damage and customer churn. Then, team members must ensure that these outcomes are covered in the scale and scope of coverage.

Enlist a digital forensics and incident response partner before you buy

Many organizations benefit from sharing their initial cyber insurance checklists and assessments with a trusted digital forensics and incident response (DFIR) partner experienced in cyber insurance investigations and related matters. A DFIR partner familiar with your business and industry sector brings invaluable “outside eyes” on potential coverage gaps and helps ensure your team will be able to preserve files and document how an incident occurred, maximizing the likelihood that accurate claims for covered incidents are processed as quickly as possible. 

Policyholders benefit from “writing-in” (specifying) the DFIR partner as the designated, go-to response firm for incidents. Otherwise, the carrier will designate a response firm from its list of default contractors – vendors that do not command the same level of knowledge about a firm’s IT ecosystem and operations. And default vendors work for the insurance provider to reduce its liability, instead of committing to the interests of the policyholder.

See also: How COVID Alters Claims Patterns

Cyber insurance is a booming part of the risk management world spurred on by current events. It can be a key part of your organization’s safety net. But, like any net, it can come with holes – holes that can amount to an unnecessarily expensive proposition for companies that fail to recognize and eliminate them. By combining complete IT asset awareness with granular attention to detail about coverage, an organization can move forward with its DFIR partner to ensure the continuous improvement of risk mitigation and containment efforts no matter how forbidding the circumstances – along with the right insurance plan for these uncertain times.

6 Cybersecurity Threats for Insurers

The connectedness of everything – assets, people, business and commerce – has increased the severity and frequency of cyber attacks. The insurance sector faces a bigger threat than most industries because insurers deal with extremely sensitive data. Several insurance companies, such as Premera Blue Cross and Anthem, have experienced significant data breaches over the past years. However, these are not the only insurers affected. A report by Accenture shows that an average insurance company receives over 100 cybersecurity attacks each year, with 30% of the attempts being successful.

As an insurance leader, being aware of the potential cybersecurity threats puts you in a better position to adopt the right prevention measures. Here are the top cybersecurity threats in the insurance sector that you should know.

6 Cybersecurity Threats for Insurance Leaders

1. Cloud Vulnerabilities  

Cloud data access and storage has become a common practice for many people. However, this practice can increase the risk of a data breach. You can be susceptible to denial of services (DoS) and account hijacking attacks. With such attacks, hackers can access and tamper with your company’s data while preventing your team from accessing it. This threat can be prevented by implementing an extensive cyber risk management plan.

2. Patch Management

If your insurance company is using outdated software, you have a higher risk of cyberattack. Most cybercriminals exploit software vulnerability to access and steal company information. Failing to update your software patches makes your organization vulnerable to numerous data breaches.

Cybercrime vulnerability can be through something you consider as minor as the computer operating system. For instance, most organizations became exposed to cyber-attacks in 2018 for failing to update their Microsoft Office software following a patch release for Eternal Blue vulnerability. Therefore, it is advisable you stay up-to-date with any software you are using in your organization to avoid costly attacks.

3. Social Engineering

With the increase in social interactions, cybercriminals are exploiting such opportunities to launch social engineering attacks. Deception is the major aspect of such attacks. Usually, these criminals use trickery and manipulative approaches to lure individuals into taking various actions. For instance, you can be lured to disclose sensitive information or even bypass set security measures.

Social engineering threats are high because targets simply give hackers access to the system. Thus, it is hard for you to prevent these crimes with cybersecurity systems. However, regular training on cybersecurity is necessary for ensuring that your team members know how to detect and prevent such crimes.

See also: A Novel Approach to Cybersecurity

4. Ransomware Threats

If you thought it was only individuals who can be held hostage, think again, because your computer systems and data can, too. Ransomware attacks are some of the serious cyber threats you should worry about in the modern era. A report by the U.S Depart of Homeland Security reveals a rising number of ransomware attacks. The hackers attack your network and prevent you from accessing any data in it until a certain amount is paid. Such attacks are associated with significant losses. For example, besides the immediate losses, a ransomware attack can lead to huge monetary damages because of lost data and loss of productivity.

5. Third-Party Exposure Threats

The use of third-party services is a common practice nowadays, especially for payment processing. Most organizations do not take the necessary precautions when engaging in third-party transactions. Even where the party you are transacting with does not handle personal data directly, it can put your organization at risk of attack.

Hackers are using malware to access personal data, such as credit card numbers and Social Security numbers, through third-party companies. Therefore, it is important to take all the necessary precautions when dealing with a third-party vendor. For instance, inquire about their policy on data breaches and find out whether they have any measures in place to prevent cybersecurity attacks.  

6. Outdated Hardware

There is a common misconception that cybersecurity threats have to come from software. If you are using outdated hardware, your company data is vulnerable, too. With the increasing rate of software updates, some hardware may find it challenging to keep up. Obsolete hardware may be difficult to accept the latest security measures and patches. In such cases, your organization’s data is exposed; hence, at a high risk of cyberattack. Therefore, it is critical to regularly check your devices and replace any obsolete ones to avoid outdated hardware-related cyber-attacks.

See also: The Missing Tool for Cyber Resilience

Holistic Risk Management Plan

There you have it – a comprehensive overview of some of the top cybersecurity threats in the insurance sector. Evidently, as technology advances, insurance companies will continue to face different forms of cybersecurity threats.

While there might not be a one-size-fits-all approach to address or prevent cyber threats, being knowledgeable on the various cybersecurity vulnerabilities can help you adopt better risk detection and prevention measures. Therefore, make sure to adopt a holistic management plan to stay away from most of these threats.

The Missing Tool for Cyber Resilience

Cyber attacks have been on the rise for years, but many organizations are unaware of just how costly cyber incidents can be and what protective measures are most effective in mitigating loss not “if” an attack will happen, but “when.” In fact, a report by Cybersecurity Ventures estimates that global ransomware damage, which includes loss of data, lost productivity, reputation damage and more, will cost organizations $20 billion by 2021.  

Many companies are still skeptical of what cyber insurance actually covers and are oftentimes unsure of which policy best suits their needs. According to Advisen’s 2019 Cyber Insurance: The Market’s View survey, “not understanding exposures” (73%), “not understanding coverage” (63%) and “cost” (46%) remain the top three identified obstacles to writing and issuing cyber insurance.

But thanks to recent developments, including the use of AI to assess cyber risk for an organization’s cyber posture, cyber insurance no longer has to be a long, drawn-out and complicated process. In other words, we can treat cyber insurance like another important tool in an organization’s cyber resilience toolkit, alongside endpoint security, securing networks and the like. 

See also: 5 Things Here to Stay, Post-Pandemic

Here is how business owners can ensure they are purchasing a comprehensive cyber insurance policy, unique to their business: 

Choose a Carrier With Expertise in Technology

While many in the cybersecurity sector argue that cyber insurance isn’t effective and that prevention is the only solution, when executed correctly cyber insurance can save organizations big money and repair reputational damage. Insurance providers with expertise in cybersecurity know that policies should be specifically designed for cyber risk exposure — not associated with other lines of coverage. The most thorough policies to safeguard against cyber threats take into consideration security, cloud, compliance and other security best practices. 

As the digital landscape evolves and malicious cyber criminals find new ways to wreak havoc, cyber insurers must go beyond data breach coverage and offer policies that cover all forms of cyber incidents — ransomware, cyber extortion, social engineering,  business interruption due to distributed denial of service (DDoS) attacks and more. Ransomware-as-a-Service, for example, is now a business in itself, with bounties doubling or tripling during 2019 and forcing the insurance industry to rethink how it approaches coverage and limits. 

Prioritize Education and Analysis

When selecting a cyber insurance policy, organizations should not only want to protect themselves but also educate themselves. The ideal policy offers dynamic, automated, insurable cyber risk assessments, providing businesses with real-time insights into insurable risks. There should be full transparency for all stakeholders: Policyholders, brokers, agents, insurers and reinsurers should have the same access and visibility to risk data.

Manage Risk Aggressively

An effective cyber insurance policy should cover the cost of a security team in the midst of a cyber attack as part of the breach response. The security team would then determine how to upgrade systems to ensure maximum privacy. From a technology standpoint, cyber insurers must anticipate possible threats and continuously evaluate underwriting practices. Another key element in risk management is evaluating the time and cost of recovery. Companies with precise plans on how to get back on their feet after a cyber catastrophe will, without a doubt, be most prepared.

See also: An Inconvenient Sales Truth

When purchasing a cyber insurance policy, you are not just paying for cyber insurance but also all of the services that go along with it. Outside of paying claims, cyber insurers must focus on providing customers with tools that empower them to learn more about the cyber landscape and better protect their businesses.

With many organizations looking to cut costs during COVID-19, some may be quick to axe security spending. Defending against cyber threats that have the power to damage entire corporations and livelihoods, however, is not an area to skimp on. Other assets in our lives are no-brainers to protect,  such as our homes, health and vehicles; there’s insurance for that. There’s no reason that companies shouldn’t add cyber insurance to their resiliency plans to prevent financial and reputational ruin.

Ransomware Grows More Pernicious

Ransomware attacks and ransom payments for data continue to spike, with The New York Times reporting a 40% increase between 2018 and 2019.

As cyber threats go, ransomware is especially insidious, because these attacks, hitting everything from municipalities to banks to small businesses, often go unreported. That means less shared information and fewer actionable insights for insurers or insureds trying to arm against an ever-morphing enemy.

We saw a gap — leading incident response experts who work with the cyber insurance industry didn’t have a forum to exchange information about what was happening on the front lines of these attacks.

We needed a way to get our arms around this problem to better support our cyber insurance carrier partners, a way to keep up to date and better understand the data trends from the expert’s vantage point at ground level.

Enter the Cyber Insurance Ransomware Advisory Group, which NetDiligence assembled in early 2020. Featuring 20 members from leading breach incident response service providers — consisting of Arete, Charles River Associates, Crowdstrike, Kroll, Kivu, Tracepoint, MOXFIVE, Tetra Defense and others.

The group meets quarterly and at select NetDiligence Cyber Risk Summit conferences to discuss emerging trends and best practices and make these insights available to the cyber insurance industry.

The Emergence of the Maze Variant

One of the key takeaways from the inaugural meeting was the emergence of the Maze variant and a “new normal” of data exfiltration, often including stolen private customer information.

Whereas previous generations of ransomware have been designed by threat actors to encrypt data and extort an organization for bitcoin in exchange for the decryption key, Maze significantly increases the pressure on the victimized organization and threatens to make the stolen data public by releasing it on the internet.

This has magnified the potential loss exposure and has led to a host of new privacy data breach risks for insureds — with accompanying notification requirements.

Even clients capable of restoring files from secure backups may find themselves subject to privacy data breach impacts, such as the need to comply with state breach notification laws that include attorneys general and the victimized population, which significantly increases claim costs.

See also: 5 Questions That Thwart Ransomware  

Ryuk Is Still Ever-Present

Another dangerous variant, Ryuk, continues to plague organizations with its tendency to attack both servers and workstations.

Experts expressed concern about organizations responding to Ryuk attacks with complete network shutdowns rather than impact isolation.

When assisting small to medium-sized enterprises (SMEs), experts often find it challenging to convince management of the necessity of deploying automated malware eradication and remediation tools and to ultimately convince these organizations to keep endpoint protection in place once the immediate incident is resolved.

What Other Ransomware Concerns Are Out There?

Other specific ransomware types encountered include DopplePaymer, Sodinokibi, Revel and Netwalker, as well as the continued rise of ransomware as a service (RaaS).

During the COVID-19 global pandemic, the impact of ransomware could prove devastating to an organization that may already be struggling.

Many of the widely held notions about ransomware are changing, we found. After paying the ransom, some organizations may never receive the promised decryption key (in the past, certain threat actors were believed to be reliable).

Even with reliable threat actors, experienced negotiation can be critical.

Threat actors are also extorting organizations to pay for their encrypted administrator-level credentials. And, increasingly, ransomware affects the backup files, as well, encrypting or otherwise making them unusable for data recovery.

The experts reported that more than 50% of the time backups had already been exploited.

To Pay or Not to Pay

Nevertheless, recovering from a viable and segmented backup repository is still the preferred method of the majority of experts rather than paying the bad guys.

In fact, reported time for business interruption is much longer for cases where the ransom is paid — lasting from three to 15 days. If backup is used, business interruption typically spans one to 10 days, experts say.

This was a bit of a surprising finding. Members advised that the negotiation process itself, as well as problems encountered with the unreliable decryption keys, have contributed to delays with the bitcoin payment path and extended the business interruption.

A Need for a Cyber-Ready Team

A continuing concern for handling ransomware remediation is the difficulty for SMEs to respond in a timely manner toward the essential task of paying larger amounts of bitcoin — or authorizing a third party to pay — for the ransom demand (averaging $100,000, but based on severity ranging from $400,000 to $8 million, according to group members) within the given timeline for response.

SME clients often don’t have the liquidity for these significant payments, even if their cyber insurer will reimburse them.

What’s more, SME-sized IT departments are often unprepared to deal with this type of business interruption and may at times lack a functional understanding of cyber policy coverages and the supporting claims process, which forces them to learn on the fly during the crisis — underscoring that preparation is key.

Finally, the expert group reported that leading cyber security deficiencies that continue to haunt organizations include the usual suspects: lack of multifactor authentication, lack of next generation anti-malware endpoint protections, open remote desktop protocols, unsegmented backups and lack of employee training.

One thing is certain: The ransomware scourge is no fleeting trend. Experts believe that it’s here to stay, inflicting damage as long as companies are willing to pay.

With the onset of COVID-19, ransomware attacks continue apace. While the nature of the attacks has altered slightly, their frequency has not, said Winston Krone, global managing director of Kivu Consulting.

See also: A Dangerous New Form of Ransomware  

The Ransomware Advisory Group will continue to stay on top of these threats so that carriers and their policyholders can defend against them.

Quick Takeaways for Cyber Carriers and Covered Entities:

  • Ensure that policyholders’ management has in place an actionable data breach incident response plan that can be accessed at a moment’s notice and includes vital third-party experts known to their cyber insurer.
  • Offer a loss control checklist for SMEs of some baseline must-have cyber security measures to mitigate ransomware, such as multifactor authentication (especially in O365), endpoint protections (example Crowdstrike’s Falcon Prevent), close remote desktop protocols, cloud-based backups and employee training.

You can find this article originally published here on riskandinsurance.com

5 Questions That Thwart Ransomware

This past summer was something of a perfect storm for small businesses, which weathered an increase in ransomware attacks, which in many cases started with an IT vendor or managed service provider (MSP).

Ransomware incidents reported to our company were up 37% in the third quarter when compared with the first three months of the year, and 24% were confirmed to be caused by a vendor or MSP.

Those statistics are bad news for small businesses that manage their IT resources with the help of a MSP and worse news for small businesses that outsource their entire IT operation to the MSP, which includes everything from building the network and managing applications to servicing any and all IT requests.

In fact, in the first nine months of last year, 63% of all the ransomware incidents reported to our breach response unit came from small businesses, many of which rely on an MSP. Why is that figure so high? MSPs make ripe targets for ransomware attacks.

They have to balance, on the one hand, a need for speed and convenience when it comes to being able to respond to clients and, on the other hand, the need to have the right security controls in place. Too often, speed and convenience win out over security controls.

For example, in many cases, MSPs have reused credentials across clients so that MSP employees can service multiple clients more quickly. Similarly, MSPs might not enable multi-factor authentication (MFA) on the remote access point they use to pivot to client environments.

See also: How Municipalities Avoid Ransomware  

In many incidents in the third quarter, attackers exploited the remote management application that connects the MSP to the client. The same MSP user account would log into multiple client environments and install ransomware. If the MSP had set up individual user accounts for each of its clients, it is more likely that the exploitation of the single set of credentials would have only enabled unauthorized access to a single client’s environment, diminishing the risk to their clients.

Further, an MSP user account often has to have full administrative access to assist with regular IT functions, so, when credentials were compromised, the attackers had full administrative access to clients’ environments.

So, why the increase in MSP ransomware attacks this summer? According to Bill Siegel, CEO and co-founder of ransomware response platform Coveware, hackers have found a way to magnify the attacks on MSPs. Specifically, developers of Sodinokibi ransomware are now using techniques employed originally by GandCrab ransomware to make the attacks on MSPs more profitable.

These MSP ransomware attacks over the summer exposed incident response challenges. For small businesses that completely rely on outsourced IT, a massive ransomware attack across clients draws on the MSP’s resources and inevitably leaves many businesses in the dark. Small business owners without a technical background struggle to understand and assist the external legal and forensics vendors who are hired to help them respond to the attack.

The response is further complicated when the MSP itself is also infected with ransomware. Where an attack group knows it has hit an MSP, and infected downstream clients, the group may refuse to negotiate with the end clients and instead only respond to the MSP to increase ransom demands. This tactic can also leave clients with little to no control over their data software recovery.

For all of these reasons, we urge small businesses to ask the following important questions when vetting a potential MSP:

  1. Is there a security program in place, including periodic risk assessments to identify areas for improvement?
  2. Is there continuing security awareness training across the organization?
  3. Is there a SSAE 18 SOC 2 Type II report or similar type of report available to customers, attesting to security control environment?
  4. If access to personally identifiable information or protected health information is necessary, how is this protected at the vendor (e.g. encryption, secure remote connections, restricted access, logging and monitoring)?
  5. Are security and availability requirements enforced in master service agreement contracts (e.g. sensitive data protection, up-time guarantee/service level agreements, security incident reporting/coordination, regulatory compliance requirements)?

Our third-quarter statistics clearly show that small businesses and MSPs are big targets for hackers. It is absolutely critical that small businesses are working hand-in-hand with all their IT vendors to prevent ransomware attacks from happening in the first place.